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EXECUTIVE SUMMARY 


In response to a request from the House of Representatives Committee on Science, 
Space, and Technology in its Report No. 102-500 of April 22, 1992, the Aerospace Safety 
Advisory Panel (ASAP) created an ad hoc task force to conduct a thorough assessment of 
the Space Shuttle Main Engine (SSME). The membership was drawn mostly from organizations 
other than ASAP, and this report represents the views of that task force. Its task was to assess 
the risk that the SSME poses to the safe operation of the Space Shuttle, to identify and evaluate 
improvements to the engine that would reduce the risk, and to recommend a set of priorities 
for the implementation of these improvements. 

The SSME Assessment Team, as it opted to call itself, convened in mid-1992 and, 
subsequently, met with and gathered information from all the principal organizations involved 
in the SSME program. These included the Rocketdyne Division of Rockwell International, 
the Marshall Space Flight Center of NASA, and the Pratt & Whitney Division of United 
Technologies Corporation. The information in this report reflects the Program status as of 
October 1992. From the information received, the Team formed its conclusions and 
recommendations. Changes in the program status have, of course, occurred since that time; 
however, they did not affect the Team’s conclusions and recommendations. 

Background 

The constraints on weight, dimensions, and performance, as well as the requirement 
of reusability, were significant drivers in the design of the SSME. They led to the selection 
of the staged-combustion engine thermodynamic cycle and system pressures as high as 7,900 
psi, about three times as high as earlier rocket engines. The pressure levels and allowable 
system weight resulted in turbomachinery with unprecedented power-to-weight ratios, as high 
as 100 horsepower per pound. Weight limitations also led to extensive use of welds and high- 
strength materials in the structure of the engine. By all accounts, the SSME is a marvel of 
engineering achievement but fraught with problems resulting from a highly sensitive, interactive 
cycle and ultra-lightweight design. 

The development program had a history replete with problems, not unlike other rocket 
engine development programs. The original plan to conduct turbopump component-level 
development tests had to be abandoned because of difficulty in manufacturing components 
on schedule as well as major failures of component test facilities. As a consequence, the 
first article was diverted from component- to engine-level tests. The high-pressure turbopumps 
proved to be the most intractable components and were the cause of many failures, although 
other components contributed to development difficulties and delays. After the difficulties 
were assessed, the original objective of certifying the SSME for operation at 109 percent of 
rated power level (RPL), also called full power level (FPL), was deferred. Instead, certification 
at RPL became the objective for the first manned orbital flight (FMOF) engine and was 
ultimately achieved. 

A series of three improvement programs followed, ultimately aimed at achieving the 
original objective of certification at FPL and 55 mission life. Many design changes were 
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incorporated, and the engine achieved certification for operation at 104 percent RPL albeit 
with many precautionary controls and restrictions such as special inspections and severe service 
life limitations on many parts. After the Challenger accident, the safety and operating margins 
of the entire Shuttle system were re-examined and additional changes were incorporated into 
the SSME. Also, the power-level objective was formally changed to 104 percent RPL with 
operation at FPL to be employed only in the event of a "contingency abort." The configuration 
resulting from this effort still required the numerous precautionary controls noted above. 

Assessment of Safety 

To assess the safety of the SSME, the Team reviewed the results of the most recent 
Hazard Analysis, Failure Modes and Effects Analysis (FMEA) and resulting Critical Items 
List (CIL), and Reliability Analyses. In addition, the design and operating margins attributed 
to engine components were reviewed as well as the methodology of the precautionary controls 
imposed on the system. 

The analyses were thorough and comprehensive. They identified hazards and failure 
modes and documented the rationales for accepting risks along with controls and precautions 
being applied to mitigate risks involved for the items on the CIL. Although some parts and 
components do not meet the specification requirements, operating margins are provided by 
means of precautions such as service life limits and special inspections. Systems are in place 
and operating, therefore, to provide assurance that the hardware will not exceed its limits 
as they are understood. 

Reliability analyses of systems that continue to change and evolve are notoriously subject 
to criticism because they lack statistical and mathematical "purity." Nonetheless, such analyses 
can provide insight into the order of magnitude of system reliability and its trends with time 
and hardware improvements. Rocketdyne and MSFC independently performed such analyses 
using the data base from engine tests and flights. The two organizations employed different 
mathematical methodologies as well as ground rules for inclusion of data. Remarkably, the 
results of the two are similar: for a 3-engine cluster, the probability of encountering an engine 
shutdown (a contained failure) operating at 104 percent RPL is about 1 in 45 flights; the 
probability of an uncontained (Criticality- 1) failure is about 1 in 120 flights. The contained 
failures will result in the use of an intact abort mode planned for such eventuality so that 
crew and vehicle will be saved. The consequence of an uncontained failure cannot be predicted, 
but can easily result in an abort with loss of vehicle or, worse, loss of crew and vehicle. Because 
the analyses cannot and do not take into account the effects of all the special controls and 
precautions currently taken with the engines prior to clearing them for flight, the Team believes 
that the actual single flight reliability of the engine is higher than the numbers would indicate. 
That consideration, coupled with flight experience, leads the Team to consider that the engine 
is safe to fly — provided the system of controls is applied vigorously and rigorously. 

Proposed Improvements 

The foregoing notwithstanding, operating experiences and the continuing occurrence 
of hardware problems indicate that the SSME is not as rugged as is desired for such a machine. 
Also, the manpower consumed in executing all the precautions and controls certainly adds 
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substantially to the recurring costs of using the engine. A number of major improvements 
to the engine, designed to overcome its shortcomings, are in various states of development. 
They are: single-tube heat exchanger, alternate high-pressure turbopumps, large-throat main 
combustion chamber, and two-duct powerhead. The Team reviewed the designs and development 
history and state of each of these components. The designs respond to the known performance, 
safety, and manufacturing problems of the components they are to replace and, if they achieve 
their objectives, will greatly enhance engine reliability and safety. Each component has 
encountered developmental problems that appeared to have been largely overcome at the 
time of this review. The Team encourages the completion of these developments and their 
incorporation into the fleet. But because of budgetary and other problems over the course 
of the years, improvements have been undertaken in a serial fashion, and the current plans 
for development and certification are not as efficient and coherent as they might be. Detailed 
consideration should be given to altering the plans so as to effect a "block change" incorporating 
all these modifications at once. 

Conclusions and Recommendations 

In summary, the Team considers that it is safe to fly the SSME provided that all special 
controls are scrupulously followed. The safety and reliability of the engine can be improved 
substantially by incorporating all of the major changes noted above. These changes will reduce 
reliance on people and processes for safety and shift its achievement to the inherent ruggedness 
and operating margins of the hardware. If priorities must be imposed, the consensus of the 
Team is that, on the basis of safety and reliability impact, the following should prevail: 

Priority I: Single-Tube Heat Exchanger 

Alternate High-Pressure Oxidizer Turbopump 
Large-Throat Main Combustion Chamber 

Priority II: Alternate High-Pressure Fuel Turbopump 

Two-Duct Powerhead 

The changes should be implemented as soon as possible, preferably as a block change 
rather than as serial changes proposed in current plans. Based on its collective experience, 
the Team believes that the block change approach would be more economical. However, 
a detailed study of costs, schedule, and technical aspects of both approaches should be made. 

It can be expected that anomalies and new phenomena will continue to occur as operating 
and test experience is gained. A competent, sustaining engineering function should be maintained 
to ensure thorough investigation of all such occurrences. Efforts to develop improved fabrication 
and inspection techniques for the SSME should be continued and encouraged. 
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I. INTRODUCTION 


In its Report No. 102-500 (see Appendix 
A), dated April 22, 1992, on the NASA 
Multiyear Authorization Act of 1992, the 
House of Representatives Committee on 
Science, Space, and Technology requested 
that the Aerospace Safety Advisory Panel 
(ASAP) create a temporary task force of 
propulsion experts, including non-ASAP 
members, to conduct a thorough assessment 
of the Space Shuttle Main Engine (SSME). 
This task force was requested to: (1) assess 
the risk that the SSME poses to the safe 
operation of the Space Shuttle; (2) identify 
and evaluate engine improvements that 
would eliminate or reduce these risks; and 
(3) recommend a set of priorities for the 
implementation of these improvements. 

Such a group was assembled; its 
membership is listed in Appendix B. It was 
co-chaired by individuals affiliated with the 
ASAP, but the majority of the membership 
was from other organizations. The group 
adopted the name "SSME Assessment 
Team." 

During the months of July and August 
1992, the Team convened at the Rocketdyne 
Division of Rockwell International, the 
designer and manufacturer of the SSME; 
the Marshall Space Flight Center of NASA, 
the project management center for the 
SSME; and the West Palm Beach, Florida, 
facility of the Pratt & Whitney Division of 
United Technologies Corporation, designers 
and manufacturers of alternate high-pressure 
turbopumps for the SSME. At these 
meetings, the Team was briefed on the 
history and status of each organization’s 
participation in the SSME program, their 
evaluations of the safety and reliability of 
the engine system (or their parts thereof), 


and descriptions, status, and evaluations of 
the hardware improvements on which they 
were working or had recommended. 

Subsequent to the briefings, the Team 
met to review and discuss its findings and 
to develop its conclusions and recommenda- 
tions. From these Team-only sessions, issues 
and further questions arose that were 
pursued by individual members and reported 
to the entire Team. A consensus was agreed 
upon, and report drafts were written, 
reviewed, and edited until all members were 
satisfied with both content and presentation, 
which reflects the Program status of October 
1992. 

In the course of the abovementioned 
process, the Team realized that the 
recommendations to be made were 
dependent not only on the technical details 
and the status of the engine system 
improvements currently underway or 
proposed, but also on the planned 
operational life of the Space Shuttle. In 
addition, some operational aspects of the 
Shuttle, in particular abort modes, had to 
be considered. Any engine improvement 
that increases its robustness or permits an 
increase in usable thrust level mitigates the 
risks associated with aborts. The Team’s 
views were based on the assumptions that 
the Shuttle would continue in service at its 
currently planned launch rate beyond the 
year 2000 and that engine improvements 
that would act to mitigate or eliminate the 
need for any abort mode would be consid- 
ered. These assumptions are implicit in this 
report. 

Section II of the report describes the 
history of the SSME development and details 
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current deficiencies. Section HI provides 
the findings of the SSME safety assessment, 
while Section IV presents proposed engine 
improvements. The SSME Assessment 
Team’s conclusions and recommendations 
are contained in Sections V and VI, 
respectively. 


The Team would like to acknowledge 
and express its appreciation for the 
cooperation and assistance it received from 
all the organizations and individuals who 
participated in its activities. 
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II. BACKGROUND 


The Space Shuttle Main Engine (SSME) 
is the first reusable, computer-controlled, 
liquid hydrogen/liquid oxygen rocket engine 
of the 500,000-pound thrust class. The 
engine is throttleable over the thrust range 
from 65 to 109 percent of rated power level 
(RPL) and controlled to start, stop, and 
maintain a commanded power level and 
mixture ratio by an electronic controller. 
Three of these engines, clustered in the aft 
end of the Space Shuttle Orbiter and 
supplied with propellants from the External 
Tank, operate for approximately 8.5 minutes 
(in parallel, for 2 minutes, with two Solid 
Rocket Boosters) to launch the Shuttle into 
orbit. The Shuttle is designed such that any 
contained engine failure can be safely 
overcome by employing one of several abort 


modes. In the event of such an engine 
failure, some of the abort modes require 
the two operating engines to run for up to 
14 minutes. 

The engine system comprises a number 
of major component assemblies (Figure 1). 
Among them are: the powerhead, four 
turbopumps, two prebumers, five hydrauli- 
cally operated main propellant valves, a 
regeneratively cooled main combustion 
chamber and nozzle, dual electronic 
controllers, and a main injector. In addition, 
there are many fluid lines, ducts, pneumatic 
valves, and electrical components and wiring. 
In all, an engine is composed of over 1 1,000 
parts. 
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DESIGN DRIVERS 

The Shuttle system design requirements 
of size, weight, performance, and reusability 
were significant drivers in the engine design 
choices. Shuttle payload requirements led 
to the selection of the staged-combustion 
engine cycle because it would provide the 
highest Specific Impulse (Isp). In this cycle, 
combustion of the propellants occurs in two 
steps. In the first, most of the hydrogen and 
part of the oxygen from the high-pressure 
turbopumps are burned in a very fuel-rich 
mixture in a pair of relatively small 
combustion chambers called preburners. 
The products of combustion are ducted to 
drive the turbines of the two high-pressure 
turbopumps. After exiting the turbines, 
these gases pass through the powerhead 
tubes to the Main Combustion Chamber 
(MCC) injector, where they are mixed with 
additional propellants to be burned at very 
high temperature (approximately 6,000 R) 
and then expanded through the nozzle to 
produce thrust The staged-combustion cycle 
is inherently highly interactive in that a s mall 
change in an adjustable parameter such as 
a flow or pressure in one part of the system 
can have dramatic effects throughout the 
engine. 

Size limitations, in combination with 
the thrust requirement, led to system 
pressures as high as 7,900 psi. This is a 
factor of three greater than the system 
pressure of earlier rocket engines. The 
pressure level and the allowable system 
weight resulted in turbomachinery with an 
unprecedented horsepower-to-weight ratio, 
as high as 100 horsepower per pound. 
Weight constraints also drove the engine 
to employ design choices like: welded instead 
of bolted joints, the welding of forged parts 
instead of castings to produce complex parts 
such as manifolds and volutes, and the use 
of high-strength materials. Unfortunately, 
the latter are sensitive to hydrogen and re- 


quire the use of protective treatment like 
coatings, gold plating, or weld overlays. In 
summary, the Shuttle system requirements 
led to a complex engine design that is 
difficult to manufacture and maintain. 

DEVELOPMENT HISTORY 

The SSME development contract was 
signed in August 1972. Initially, develop- 
ment was to employ the Design Verification 
Specification (DVS) approach, which 
requires tests to be performed at the lowest 
possible assembly level (e.g., component, 
subsystem, system) to demonstrate that 
design specifications had been met. In late 
1973 and early 1974, numerous problems 
such as component facility construction 
delays, weight-driven design changes, and 
changes to achieve needed structural strength 
delayed component fabrication and testing. 
This resulted in a decision to divert the first 
article of each component from planned tests 
at the component level to engine-level tests. 
For example, engine-level testing of the high- 
pressure turbopumps began 3 months before 
component-level test began. Subsequently, 
a number of component test facility failures 
occurred and this, coupled with a very high 
rate of hardware attrition in the test pro- 
gram, led to a decision to cancel the com- 
prehensive turbomachineiy level test 
program that had been planned. 

The engine-level test program required 
50 tests, 11 turbopump replacements, and 
over 3 months to develop acceptable start 
and shutdown sequences and reach 50 
percent of rated thrust (minimum power 
level). All effort was then directed towards 
meeting the specified 109-percent power 
level [full power level (FPL)] and 55-flight 
system life. In this process, many problems 
were encountered; some because of opera- 
tion under internal conditions more severe 
than those experienced in previous engine 
developments. Others were caused by 
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manufacturing defects, operational errors, 
and the consequences of design assumptions 
that proved incorrect. Among the more 
significant problems encountered were: High 
Pressure Fuel Turbopump (HPFTP) sub- 
synchronous whirl (a rotordynamics 
phenomenon) and turbine blade failures; 
High Pressure Oxidizer Turbopump 
(HPOTP) explosions caused by failures of 
the inter-propellant seal package and bearing 
and of the pre-burner and MCC injectors. 
By April 1981, 19 major engine failures had 
occurred. 

All failures were subjected to detailed 
failure analysis, and corrective actions were 
devised and implemented. The elimination 
of many instruments and their ports and 
bosses to reduce weight led to difficulty in 
determining failure causes because data on 
internal engine conditions were not available. 
Also, because in the uncontained failures 
the hardware was consumed by the resulting 
fire, conclusive evidence of cause could not 
be obtained. Consequently, multiple 
changes, identified via failure-tree analyses, 
were incorporated. Although limited to RPL 
thrust and severely restricted as to 
reusability, the SSME was given preliminaiy 
certification in March 1980 for the first 
manned orbital flight (FMOF) of the Shuttle. 


FLIGHT CONFIGURATIONS 

After the travails noted above, it was 
decided that the goal of achieving a certified 
FPL engine should be deferred and that the 
FMOF configuration engine should be 
formally certified for RPL. Certification 
requirements had been evolving and were 
now formally defined to comprise a series 
of 13 tests accumulating 5000 seconds of 
engine operation. The tests included 
multiple runs covering design-mission 
profiles, an abort mission profile, and an 
”overstress H test at 2 percentage points above 


the specified power level. These tests were 
to be performed twice on each of two en- 
gines, the so-called 2-by-2 rule. This would 
qualify the engine configuration for five 
flights. A further requirement for achieving 
flight clearance was the accumulation of 
65,000 seconds of engine operating time. 
The FMOF configuration completed 
certification in the Fall of 1980 and was used 
on the first five Shuttle flights, starting in 
April 1981. 

A series of three improvement programs 
followed in an attempt to achieve the origi- 
nal development goals. The first, Phase I, 
sought to increase engine service life and 
to certify the engine for normal operation 
at FPL, The many design changes that were 
incorporated and tested improved service 
life but did not achieve routine operation 
at FPL. Instead, the engine was certified 
at 104 percent RPL, and this basic 
configuration was used from STS-6 through 
the Challenger accident. Problems and test 
failures continued to occur during this 
period, and more special inspections and 
part life limi ts [Deviation Approval Requests 
(DARs)] had to be imposed to preclude 
inflight problems. 

During this period, a substantial number 
of major design changes were proposed to 
improve safety margins and service life, and 
to achieve FPL for normal operation. 
However, budget constraints limited the 
scope of the Phase II improvement program. 
Particular emphasis was placed on achieving 
certification at FPL, reducing the many 
inspection and maintenance requirements 
(DARs) imposed on the high-pressure 
turbopumps, and extending their service lives 
to 5,000 seconds. Other detailed design 
changes in this program addressed issues 
such as mitigating high-cycle fatigue 
problems and reducing temperature spikes 
during throttle transients. 
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Progress was being made towards these 
goals at the time of the Challenger accident 
Subsequently, the safety and operating 
margins were re-examined and the Phase 
II program was revised. Approximately 40 
additional detailed design changes were 
added, and the power level target was 
changed to 104 percent RPL with FPL 
capability in the event of a "contingency 
abort" (i.e., to avoid a ditching). FPL 
capability was demonstrated during the 
certification test program as well as by a 
short duration [run] at FPL during each 
flight engine acceptance test. The resulting 
configuration achieved certification and was 
dubbed the "retum-to-flight" or Phase II 
engine. Although the engine subsequently 
accumulated some 90,000 seconds of test 
time, it still required frequent removal, 
disassembly, and overhaul of both high-pres- 
sure turbopumps (1 to 3 flights), and a large 
array of DARs remained for the entire 
engine. 

In an attempt to ameliorate the need 
for frequent turbopump overhaul, a third 
modification program was initiated in 1988. 
This was the "10K pump" program, so called 
because its objective was to certify both 
turbopumps for 10,000 seconds of service 
life. The 10K HPFTP achieved a 7-to-8 
flight certification in late 1991, was first used 
in flight in May 1992, and is now being 
incorporated in the fleet. The 10K HPOTP 
attempt was less successful; the pump that 
resulted (P-HPOTP) still requires pump-end 
replacements every 1 to 3 flights and 
complete overhaul after 4 to 6 flights. 

CURRENT STATUS 

The SSME is a highly sensitive machine 
whose components must be monitored 
closely to ensure their compatibility and 
safety. Hundreds of "generic" inspections 


are contained in the Orbiter Maintenance 
Requirements Specification Document 
(OMRSD), all of which require highly 
skilled, experienced, and dedicated 
technicians to perform them. In addition, 
an average of 75 engine-specific inspections 
and life limitations are required for each 
engine because of the difficulty in building 
the parts exactly to drawing requirements. 
Some of the variations among parts or sub- 
assemblies that have been accepted for use 
have performance effects sufficient to require 
care and vigilance in the selection of 
components for assembly into an engine. 
This process results in the selective assembly 
of engines. 

The foregoing considerations require 
the expenditure of many man-hours of effort, 
not only to perform the inspections, 
overhauls, and requisite acceptance tests, 
but also to keep and review the records and 
pedigrees of hundreds of parts to assure the 
suitability of an engine for flight. Although 
the engine is classified "reusable," the term 
cannot and must not be employed as is done 
with respect to aircraft gas turbine engines. 

Known deficiencies have led to steps 
to achieve confidence in the hardware. 
Design changes to rectify the problems and 
to produce more robust hardware have been 
under continuous development. These 
development activities have been subject 
not only to the normal technical problems 
of any development, but also to the vagaries 
of budget processes that cause interruptions 
and discontinuities in the activities. 

Despite the reservations that one can 
have about the flight-worthiness of engines 
that require such detailed care and attention, 
they are indeed being used for flight. The 
question, "Are they safe?," is ever present 
and is addressed in Section III, Assessment 
of System Safety. 
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III. ASSESSMENT OF SYSTEM SAFETY 


System safety assessment is a many- 
faceted process that includes performing 
Hazard Analyses, Failure Modes and Effects 
Analyses (FMEA), and Reliability Analyses; 
developing a Critical Items List (CIL); and 
examining the design and operating margins 
of the components. The safety of the Space 
Shuttle Main Engine (SSME) is continuously 
addressed by all the organizations involved 
and by ad hoc groups from time to time. 
A complete safety re-evaluation of the SSME 
was conducted after the Challenger accident, 
and its elements have been subjected to 
updating as new information became avail- 
able. The SSME Assessment Team reviewed 
and evaluated the information resulting from 
these efforts; its major findings are sum- 
marized in this section. 


HAZARD ANALYSIS 

The Hazard Analysis enumerates all 
potentially unsafe conditions or events, 
identifies the potential sources of such 
conditions, and provides the rationale for 
the mitigation and/or acceptance of the 
risk involved. The hazard fault tree in 
Figure 2 identifies 16 SSME failure modes 
that could result in loss of crew and/or 
vehicle due to fire and/or explosion. Seven 
failure modes are considered controlled 
through design, inspection and test, or 
demonstrated reliability. Nine are accepted 
risks based on analysis and probability of 
occurrence. Table 1 is illustrative of the 
reasoning and actions taken to mitigate and 
control the risks to an acceptable level. The 



Figure 2. Hazard Fault Tree Example 
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Table 1. Risk Reduction Actions 


Hazard 

Number 

Hazard TO* 
Risk Issua 

Risk Reduction 
Recommendation* 

Program Action To 
Reduce Risks 

ME-B2 

FPB burnthrough, 
rupture, explosion 
• POPS during start 
and cutoff 

Reduce the hazard 
classification from 
accepted risk to 
controlled 

Based on thermal/dynamic analysis and hot fire 
history on POPS; the hazard classification for fuel 
prebumer POPS will be reduced to controlled 
POP data base (1,099 tests, 47 engines) showed no 
FPB POPS higher than 6,000 Gp-p 

No FPB Faceplate deformation was ever attributed 
to a POP 

Prebumer POP issue was briefed to SSRP in 
meeting no. 3 

Changes to the OMRSD DV41AME.010 (new POP 
criteria, magnitude, and time- frame) have been 
approved 

ME-B3 

HEX burnthrough, 
rupture, explosion 

• Mechanical damage 
from foreign objects 

• Weld/material 
failure 

Develop a single coil 
heat exchanger design 
for the SSME that will 
improve the margin of 
the flight HEX 

Reduce material 
inclusions or stringers 

Single tube heat exchanger (ECP-1 14330) 

• Design in development phase 

• Improve tube margin by increasing tube wall 
from 0.0125 and 0.0265 to a uniform 0.032 
thickness 

ECP 990 requires the use of double vacuum melted 
ingot to control impurities in the material. Material 
process has been incorporated 

Single tube heat exchanger (ECP 11433) eliminated 
critical weld joints 

First unit to be installed on Engine 0220 

• Testing is scheduled for August 1992 

• Single tube heat exchanger is scheduled for 
STS-68 flight 


complete Hazard Analysis contains 
exhaustive examinations of the hazards 
present during each of the several phases 
of engine operation from pre-start to 
shutdown and, for each phase, addresses the 
contributions of each subsystem to the 
hazards of that phase of engine operation 
and how they are controlled. This analysis 
was thorough and effective. 

FAILURE MODES AND EFFECTS 
ANALYSIS 

The FMEA employs a "bottom-up" ap- 
proach, in contrast to the "top-down" 
approach of the Hazard Analysis. It asks, 
at the lowest levels of each subsystem, "How 
can this device/part fail and what are the 
effects and consequences of such a failure 
on the component and all other interfacing, 


ingrafting components?" The consequences 
of each failure mode identified are classified 
according to their severity. Failure modes 
that could lead to loss of crew and/or vehicle 
fall into the "Criticality-1" (CRIT-1) 
classification. These items are then collected 
on a Critical Items list (CEL). The CIL is 
used as a management tool to focus attention 
on the mitigation or control of the failure 
mode via actions such as redesign, use of 
redundancy, and special inspections or tests. 

After the Challenger accident, the 
Shuttle System FMEA, including the SSME, 
was performed again under a more stringent 
set of ground rules and at greater depth 
than had been used in the original analysis. 
Table 2 lists the numbers of CRIT-1 items 
on the original and revised CILs. The chan- 
ges in the ground rules and depth of analysis 
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Table 2. Distribution of CRIT-1 
Pre- and Post-51L CILs 


Subsystem 

Current 

CIL 

Pre-51L 

CIL 

Combustion Devices 

33 

10 

Turbo Machinery 

39 

15 

Pneumatic Controls 

11 

3 

Propellant Valves 

39 

21 

Actuators 

18 

1 

Controller/Harnesses 

3 

0 

Igniters/Sensors 

23 

2 

Lines, Ducts, Joints, Orific- 
es 

23 

21 

Totals 

189 

73 


led to the significant increase in CRIT-1 
items. The revised CIL led to the introduc- 
tion of over 100 design, software (S/W), 
inspection, test, operations, and process 
changes in the SSME. Table 3 indicates the 
distribution of these changes among the 
SSME subsystems. The "top 10" CRIT-1 
items of the revised CIL are presented in 
Table 4, along with the proposed changes 
and their current status. As changes are 


Table 3. Distribution of Modifications 


Subsystem 

p— iga 

Modifications 
8/W Ptoo— 

□ 

Combustion Devices 

22 

1 

7 

3 

Turbo Machinery 

16 

0 

2 

0 

Pneumatic Controls 

1 

1 

0 

i 

Propellant Valves 

0 

0 

1 

2 

Actuators 

3 

0 

1 

1 

Controller/Harnesses 

8 

25 

0 

4 

Igniters/Sensors 

4 

0 

3 

1 

Lines, Ducts, Joints, Ori- 
fices 

5 

0 

1 

1 

Total 

59 

27 

15 

20 


incorporated, this living list is updated as 
the risks are mitigated or eliminated. 

RELIABILITY 

The FMEA and Hazard analyses 
identify potential failures. The Reliability 
analy sis determines the probability of failure 
occurrence. There are two ways to estimate 
the probability of an engine failure. The 
first is to determine or estimate the 
reliability of each component and then 
combine them mathematically to arrive at 
an estimated system reliability. No suitable 
reliability data base exists at the component 
level for the SSME. Estimating component 
reliabilities when truly comparable similar 
components do not exist is, at best, not 
meaningful and, at worst, misleading. This 
is the case for the SSME, as no data for 
components with similar operating conditions 
can be found on which to base calculations. 
The second approach is to use and analyze 
available engine-level test and failure data 
statistically. This is the approach that has 
been employed independently by both 
Rocketdyne and MSFC. 

Statistically valid reliability calculations 
require an extensive data base. Purists can 
argue, with merit, that the test and flight 
data on the SSME are limited and, therefore, 
results of reliability calculations are suspect 
Nonetheless, some 62 flight-configuration 
engines (albeit of differing configurations) 
have been hot-fired for a cumulative 
operating time of 462,567 seconds 
(equivalent to approximately 900 missions) 
as of the time of this writing. Although 
these data do not satisfy the conditions 
required for mathematically pure reliability 
calculations, they certainly provide a base 
for developing useful estimates of the range 
of reliability of the SSME and of reliability 
trends with time, provided all the 
assumptions, limitations, and caveats are 
taken into account. 
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Table 4. Top 10 FEMA/CIL Components 


Rank 

Component 

Failure Mode 

Design/Mfg. Process 
Improvements 

Status || 

Cert 

Flight 

1 

Heat exchanger 

HEX coil fracture 
or leakage 

Single coil HEX eliminates 
interpropellent welds and increases 
wail thickness. Simplified assy 
technique and tooling. State-of-art- 
tube inspection equipment 

Planned 
FY 93 

FY 94 

2 

High pressure fuel 
turbopump 

Turbine blade 
structural failure 

10K pump improvements; blade 
pocket and assembly fit checks. 
Computer tomography inspection 

Complete 

ST $*45 

3 

High pressure 
oxidizer turbopump 

Turbine piece part 
structural failure 

1st stage disc pilot rib redesign and 
modified tip seal retainers 

Complete 

STS-49 




Converted 14 welds to robotic 

Complete 

STS-45 

4 

Hot gas system 
joint G15 

Leakage 

Added flow recirculation inhibitor and 
joint effective gap measurement 

Complete 

STS-34 

5 

High pressure 
oxidizer turbopump 

Turbine blade 
structural failure 

Modified tip seal retainers and 
improved damper inspection 

Complete 

STS-45 

6 

High pressure 
oxidizer turbopump 

Loss of support, 
position control, 
or rotordynamic 
stability 

Improved bearing drying and added 
weld 3 strain gages 

Complete 

STS-31 

7 

Oxidizer preburner 
oxidizer valve 
actuator 

Fails to respond 
to position 
commands 

Added improved clearance 
measurements and functional 
threshold test 

In-process 
FY 93 

FY 94 

8 

LPFTP discharge 
duct 

Fails to contain 
hydrogen 

Added corrosion inhibitor 
Improved tripod radius inspections 

Complete 

Complete 

STS-28 

STS-41R 

9 

Nozzle assembly 

External rupture 

Eliminated 18 critical welds on 
Steerhorn and feedlines 

FY 94 

TBD 

10 

High pressure 
oxidizer turbopump 

Loss of axial 
balancing force 

Added improved silver seal bottoming 
and retainer ring inspections 

Complete 

STS-45 


Rocketdyne Analysis. This reliability 
analysis used a binomial model for equiv- 
alent mission profiles. This approach 
accounts for the different power levels of 
operation and treats failures as random and 
independent By using a "redesign 
effectiveness factor" for the changes of 
reliability effected by implementing design 
changes subsequent to a failure, the effects 
of engine configuration changes over time 
are taken into account. Rocketdyne 
calculations using the test and flight 
history of the SSME yield the results shown 


in Table 5 for a three-engine cluster with 
an assumed 0.5 redesign effectiveness factor 
(a conservative assumption). For a typical 
flight at 104 percent RPL, the calculations 
indicate that a CRIT-1 failure may be 
expected every 139 flights and an engine 
inflight shutdown every 45 flights. The effect 
of increasing power level above 104 percent 
RPL is marked. At FPL (109 percent), a 
CRIT-1 failure can be expected every 20 
flights and an infli ght shutdown every 8 
flights. If a 1.0 design effectiveness factor 
is assumed (i.e., the failure mechanism is 
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Table 5. SSME Reliability (3 Engines) 
With a 0.5 Redesign Effectiveness Factor 


Engine 

Operating 

Phase 

Rights Between Incident j 

SSME Safe 
Shutdown 

CRIT-1 1 

Failure (j 

Liftoff 

42 

363 

Mainstage 
100% RPL 

112 

254 

104% RPL 

45 

139 

109% RPL 

8.3 

20 


fully eliminated), the 104 percent RPL 
numbers become 336 and 120 for CRIT-1 
and shutdown, respectively. The number 
of flights between these types of failures 
most probably lies somewhere between these 
two sets of numbers. 

MSFC Analysis. The Marshall Space 
Flight Center (MSFC) made independent 
calculations of the reliability of the SSME 
using the same data base as Rocketdyne, 
but with slightly different ground rules 
governing which data to include. MSFC 
used the U.S. Army Material System 
Analysis Activity reliability growth model 
for its calculations. In this model, the data 
input is the number of failures as a function 
of cumulative test time. These data are 
curve-fit to an exponential function that 
feeds into the reliability calculations. The 
use of the exponential function to convey 
reliability growth serves a purpose similar 
to the redesign effectiveness factor in the 
Rocketdyne methodology. The MSFC 
analysis yields 118 as the number of flights 
between CRIT-1 failures at 104 percent and 
48 for a safe engine shutdown. These 
numbers are roughly comparable to those 
resulting from the Rocketdyne analysis with 
a 0.5 effectiveness. 


either by hardware or procedural changes 
as appropriate. Nonetheless, unanticipated 
failures continue to occur; some because 
the changes do not fully eliminate the causal 
factor(s), others because of incomplete or 
inexact comprehension of internal loads and 
environments. Figure 3 shows the engine 
failures experienced as a function of time. 
Prior to 1985, testing was conducted at a 
rate of approximately 33,300 seconds per 
year. From 1979 to 1985, the mean time 
between failures was about 8,000 seconds. 
Starting about 1987, the test rate increased 
to about 43,000 seconds per year and, for 
the period from about 1987 to 1990, the 
mean time between failures increased to 
about 18,000 seconds, indicating an increase 
in reliability. Most recently, however, from 
about 1990 to mid-1992, the mean time be- 
tween failure dropped to about 9,000 
seconds. Thus, although overall experience 
would indicate that the reliability of the 
SSME is increasing, it is not possible to 
predict when failures will occur. 

It must be recognized, however, that 
the abovementioned failures occur on the 
test stand and include new and rebuilt 
hardware as well as modified hardware 
under development. Flight hardware is 
subject to myriad special inspections, 
acceptance tests, and servicing between 
missions. Also, the components and parts 
are constrained to use well below their 
demonstrated service life expectancy. 
Further, redline limits are imposed to 
minimiz e the risk of catastrophic failure by 
shutting down the malfunctioning engine and 
then employing an abort mode to save crew 
and vehicle. Some of these controls are 
described below. 

HARDWARE MARGINS AND LIFE 
LIMITS 


As noted, both types of analyses account 
for the effects of reliability improvements 
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The SSME Contract End Item (CEI) 
specifications stipulate structural design 





Figure 3. Engine Failure Rate and Accumulated Test Time 


criteria, certification test requirements, and 
fatigue life design criteria. These and other 
requirements are intended to ensure engine 
reliability and safety. Originally, the design 
objective was that the engine would be 
capable of 55 starts and 27,000 seconds of 
run time. Recent changes made in the 
specifications now require 30 starts and 
15,000 seconds run time for all components 
other than high-pressure turbopumps and 
flexible ducts. Tbe latter must be capable 
of 20 starts and 10,000 seconds run time. 
Engineering analysis and component tests 
are used to establish structural margins of 
safety and to verify that fatigue life satisfies 
criteria. However, several engine 
components do not meet, much less exceed. 


all the CEI requirements. To ensure that 
operating margins exist, life limits, special 
inspections, and other criteria and limits are 
imposed. 

Design Margins. Specifications for the 
design of SSME components require the use 
of structural factors of safety of 10 percent 
above yield strength and 40 percent above 
ultimate strength of the materials employed. 
Also, life factors for both Low Cycle and 
High Cycle fatigue properties are stipulated 
to ensure margin for component life require- 
ments. To account for unavoidable 
variations in material properties, dimensions, 
and loads, the design analyses are made 
using minimum material properties, worst 


12 



case dimensions, and maximum expected 
loads. Of course, the designs are only as 
good as the knowledge of these factors. In 
1988, a thorough structural review of the 
SSME for some 1,735 major parts identified 
over 250 parts requiring additional analyses 
or tests. These were performed, and where 
indicated, design changes were incorporated. 

Operating Margins. To ensure the 
flight safety of components that do not satisfy 
CEI requirements, additional limits and 
inspections are placed on them using the 
DAR procedure. Table 6 presents the cur- 


rent generic life and inspection limits 
controlled by DAR. These data apply to 
the entire SSME inventory. In addition to 
these generic DARs, there are engine-and 
component-unique DARs, such as shown 
in Table 7 for engine 2027. Such unique 
limits are required because of the difficulty 
of reproducibly manufacturing engine parts 
with consistent design margins or perfor- 
mance characteristics. 

Another method employed to ensure 
adequate operating margin is the "Fleet 
Leader" criterion. This criterion stipulates 


Table 6. SSME Component Generic DAR Limits 


Component 

Engine 

Starts 

Accumulated 
Run Time 

HPOTP (Life Limits) 



First Stage Disc 

14 

— 

Pump End Bearings 

- 

2000 sec 

Turbine End Bearings 

- 

2568 sec 

Turbine Bearing Preload Spring 

- 

3442 EFPL sec 

First Stage Blades 

21 

5000 sec 

Second Stage Blades 

22 

5391 

HPOTP (Inspection Limits) 



Second Stage Nozzle 

11 

— 

First Stage Nozzle 

14 

- 

Housing 

10 

— 

Impeller 

- 

5400 sec 

HPFTP (Life Limits) 


4300 sec 

First and Second Stage Blades 

13 

Thermal Shield 

17 

- 

HPFTP (Inspection Limits) 



First and Second Stage Nozzles 

15/10 

— 

Impeller 

- 

5500 sec 

Kel-F Seal 

- 

5500 sec 

Housing 

10 

— 

LPFTP (Inspection Limits) 


3425 EFPL sec 

Volute 


Pressure Sensors (Life Limits) 

- 

11400 sec 

OPOV Seal (Inspection Limit) 

Unscheduled 
Engine Cutoff 

1.5-5 sec 


EFPL - Equivalent Full Power Level. 
* 10k configuration. 
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Table 7. Engine 2027 Unique Inspection Limits 


Nozzle 

Dye penetrant inspect aft manifold every test 

MCC assembly 

Borescope weld 19 after every test 

G15 bellows seed 

Replace seal after every 2 flights 

HPFTP 

Inspect curvic teeth every 1 1 starts 

First and second stage discs 

Dye penetrant and eddy current every 30 starts 

Housing 

Borescope T/E coolant holes every 10 starts 

HPOTP 

Inspect at intervals not exceeding 5512 sec 

Housing 

Borescope inspect limit to one flight 


that a component cannot be used for flight 
if its accumulated service life exceeds 50 
percent of the maximum accumulated 
operating time or starts of a comparable 
component, thus providing operating margin. 

Finally, operating margin is provided 
by imposing redlines both on the ground and 
inflight. These redlines are designed to 
initiate engine shutdown prior to operation 
in a manner that could lead to a catastrophic 
failure. During engine start on the launcher, 
if any of the redlines is exceeded, the 
controller will shut down the engine and will 
not issue the permissives required for Solid 
Rocket Motor ignition. During flight, if a 
redline is exceeded, the controller will shut 
down that engine and the crew will have to 
fly the appropriate abort mode. 

Although the Reliability analyses 
indicate that the probability of encountering 
a CRIT-1 failure during ascent is of the 
order of 1 in 120, or 1 in 45 for an engine 
shutdown, the data base used for these 
calculations include both development test 
runs and certification runs. Also, all special 
precautions represented by added 
inspections, more frequent inspections, life 
limits, and so on serve to increase the actual 
reliability of the flight unit. The actual 
reliability cannot be stipulated or stated 
precisely. But, as long as all these controls 


are implemented in an expert, disciplined, and 
vigilant manner, the engine can be considered 
safe to fly. 

ABORT OPTIONS 

In the event that an engine failure does 
occur despite all the precautions taken, a 
final safety feature in the Space Shuttle 
system — the aborts — can be activated. 
Some engine failures can be "contained," 
that is, no debris escapes the engine and the 
engine is shut down without collateral 
damage to other Shuttle systems. Other fail- 
ures may be "uncontained," with debris 
escaping the engine’s confines and probably 
d amaging other systems or engines. The 
latter is called "catastrophic" as there is a 
high probability, but no certainty, that it 
would cause loss of vehicle and crew. 

Failure of an SSME during ascent will 
cause the crew to initiate one of two abort 
modes depending on when, during ascent, 
the failure occurs. The modes are: intact 
aborts in which it is possible to achieve orbit 
or return vehicle and crew to a pre-selected 
landing site; or, a contingency abort which 
provides the opportunity to maintain vehicle 
integrity and control for infli ght crew escape. 
A contingency abort is usually indicated 
when a second engine failure occurs; a 
situation that would require expert piloting. 
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No abort mode can be executed prior to 
Solid Rocket Booster separation. 

Among the intact abort types are: Abort 
to Orbit, Abort Once Around, Trans-Allantic 
I a nHing, and Return to Launch Site (RTLS). 
The names are descriptive of what is entailed 
except for the RTLS abort, which requires 


dissipation of propellants, a powered 
turnaround including flying backward, an 
atypical jettison of the External Tank, and 
a landing near the launch site. RTLS is a 
quite complicated maneuver that requires 
very skillful piloting and flying through 
previously unexperienced flight conditions. 
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IV. PROPOSED IMPROVEMENTS 


Operating experiences and the 
continuing occurrence of hardware problems 
indicate that the Space Shuttle Main Engine 
(SSME) in its present configuration does 
not have the ruggedness that is desired for 
so critical an element of the Space Shuttle 
system. It requires continuous expert and 
disciplined labor to gain the confidence in 
the hardware needed to commit a set of 
engines to a flight. In recognition of this 
situation and with intimate knowledge of 
the weaknesses of the engine, the SSME 
Project has, over the years, initiated the 
development and certification of a number 
of individual major design changes to the 
engine. The objectives of these changes are 
to make the engine more robust (increasing 
margins); to eliminate, or mitigate to 


a great extent, the more worrisome of 
the Criticality-1 (CRIT-1) failure modes; and 
to improve the ability to manufacture the 
hardware exactly to print. This would shift 
engine safety from its current great 
dependence on people and procedures to 
inherent and reproducible properties of the 
hardware. Some of these changes have 
reached the certification test stage. Others 
are in earlier stages of development. The 
candidate improvements are discussed below. 

SINGLE-TUBE HEAT EXCHANGER 

The current heat exchanger (HEX) 
(Figure 4), which converts liquid oxygen to 
gaseous oxygen for pressurizing the External 
Tank (ET) oxygen tank and the POGO 



Figure 4. Heat Exchanger Assembly 
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suppression subsystem, continues to head 
the list of CRIT-1 components for the 
SSME. The heat exchanger is located in 
the oxidizer side of the Hot Gas Manifold 
(HGM) in the path of turbine exhaust gases 
from the High Pressure Oxidizer Tuibopump 
(HPOTP) that provide the heat needed to 
effect the change of state of the liquid 
oxygen. 

Salient features of the current two-tube 
HEX and the proposed single-tube 
replacement are shown in Figure 5. The 
current HEX consists of a primary tube, a 
bifurcation joint, and two secondary tubes. 
The source of safety concern is the existence 
of seven critical welds in the oxygen- 
containing thin-walled (as thin as 0.0125 
inches) tubes that isolate the oxygen from 
the fuel-rich hot gases. It is difficult 


to control welding and these welds cannot 
be fully inspected. Should one of the welds 
fail, the consequence would be rapid, uncon- 
trolled combustion in the HGM leading to 
a bumthrough or explosion. The single-tube 
HEX has no welds exposed to the hot gases, 
and its tube wall thickness is a much more 
rugged 0.032 inch. The structural advantages 
of this design are evident from Table 8. 
Further, 30 welds were eliminated from the 
assembly and all remaining welds were 
designed so that critical flaw sizes can be 
detected and the welds can be fully 
inspected. 

Such a redesigned HEX had been 
proposed for a long time; however, the 
technology to produce the very long (40 feet) 
jointless tube of the appropriate material 
has only recently been developed. Incorpo- 



Figure 5. Single-Tube Heat Exchanger and Current Bifurcated HEX 
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Table 8. Single-Tube Heat Exchanger 
Structural Margins 
(FPL Engine Conditions) 


Factor of 
Safety 

Single-Tube 

HEX 

Bifurcated 

HEX 

Yield 

1.5 

1.3 

Ultimate 

5.0 

3.9 

Endurance 

3.2 

1.2 


ration of the new HEX will certainly reduce 
the amount of time currently expended in 
painstaking postflight mass-spectrometer leak 
testing to ensure the integrity of the inter- 
propellant welds and tubing. This 
modification has been installed on an engine 
and is scheduled to enter certification testing. 

PRATT & WHITNEY ALTERNATE 
TURBOPUMPS 

As indicated earlier in this report, the 
most challenging and troublesome 
components of the SSME are the high- 
pressure turbopumps. Engine system 
requirements led to discharge pressure levels 
of about 8,000 psi for the oxygen pump and 
6,000 psi for the fuel pump. The weight and 
size constraints led to lightweight, high- 
speed, high-temperature and high-efficiency 
designs. For example, the High Pressure Fuel 
Turbopump (HPFTP) uses a two-stage 
turbine with uncooled blades at a turbine 
inlet temperature in excess of 2,000 R to 
produce about 70,000 horsepower at 36,000 
rpm to drive the hydrogen pump. This 
machine is of the size and weight of an 
automobile engine but produces the 
horsepower equivalent of 28 diesel locomo- 
tives. The HPOTP runs at about 26,000 rpm 
to produce over 28,000 horsepower. 

The current machines have been 
difficult to manufacture repeatably and have 
been the source of many of the test failures 


experienced, including uncontained failures. 
In ground test, there were 42 engine failures. 
Of these, 8 were attributable to the 
turbopumps; 1 during the start phase and 
7 during steady operation, 3 of which were 
catastrophic. In the SSME CIL, 14 of the 
top 25 items are associated with the 
turbopumps (testing has validated the 
ranking). Moreover, the turbopumps require 
extensive inspections and frequent removal 
for overhaul and consequent retest. 

As noted earlier, the current 
turbopumps have been the subject of a series 
of major improvement programs, the latest 
being the "10K" program. This program had 
more success with the HPFTP than with the 
HPOTP. The latter is limited to one to 
three flights before removal for overhaul 
because of bearing wear indications. The 
HPFTP, which met the 10K objective and 
is permitted seven to eight flights before 
overhaul, still requires very detailed 
inspections between flights and extreme care 
during manufacture. The welded "sheet 
metal" construction employed in the 
HPFTP’s complex flow paths continues to 
limit the turbopump’s life and to be a high- 
maintenance item requiring frequent removal 
for crack repair. Also, a recently discovered 
turbine blade material quality problem 
requires computer tomography screening 
of all blades. 

Remedies were sought to address the 
continuing problems with the turbopumps 
prior to the initiation of the 10K program. 
In 1985, it was concluded that, within the 
constraints presented by the existing designs, 
no group of physically possible modifications 
could produce the more rugged, reproduc- 
ible, and reliable machines needed. A 
decision was made to design and develop 
a new set of high pressure turbopumps. 
These pumps were not to be burdened with 
the weight restrictions imposed on the 
existing machines and the designs were to 
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be responsive to the lessons learned from 
the experiences of more than a decade with 
the current turbopumps. Pratt & Whitney 
(P&W) was selected to develop the new 
machines, which are referred to as the 
"Alternate Turbopumps." The major objec- 
tives and design differences between the 
current and the alternate turbopumps are 
given in Table 9. Of particular note are: 
115 percent RPL as the design point, the 
use of single-crystal turbine blades, the use 
of advanced precision castings instead of 
built-up welded sheet metal for complex 
parts, and the elimination of coatings against 
hydrogen embrittlement by use of improved 
materials. In addition, die machines are 
designed to contain a turbine blade failure 
and enhance the probability of a safe 
shutdown. 

Table 9. Alternate 
Turbopump Design Approach 


• Incorporate lessons learned with emphasis 
on increased safety margins 

e Increase performance and structural margins 

e Utilize 115% power level for maximum 
design condition 

e Utilize single-crystal blades 

e Eliminate welds and sheet metal 

e Biminate thermal and hydrogen environment 
coatings 

e Reduce number of rotating parts (50%) 

e Provide safe shutdown in event of turbine 
blade failure 

• Design for inspectability, producibilrty, and 
operability 


The Alternate Turbopump Program 
(ATP) employs the Design Verification 
Specification (DVS) methodology with its 
extensive testing at the subcomponent level. 
In addition, use of a turbopump assembly 
hot-fire facility permits exploration and 
characterization of the operating map of 


each machine separately, prior to turbopump 
operation on an engine. Another advantage 
of these machines is their careful design for 
maintainab ility; thus allowing a turbopump 
to be disassembled and rebuilt in about 2 
weeks in contrast to the 4 to 5 weeks 
required for the current turbopumps. 

The program has not proceeded as 
smoothly as had been anticipated; as in any 
such development, problems have arisen that 
have caused delays. The nature of the more 
significant problems encountered for each 
machine and the status as of this writing are 
given below. 

HPOIP. The current HPOTP has been 
the most troublesome turbopump on the 
engine. The major design features of the 
ATP HPOTP are contrasted with those of 
the current HPOTP in Table 10. Once 
developed, the new machine should be much 
more rugged than its predecessor. Testing 
at the engine level began in late 1991. 
Unfortunately, the new machine ran into 
a number of problems, including turbine 
inlet cracking, turbine bellows failure, 
turbine bearing outer race cracking and, 
most intractable, high synchronous vibration 
of the rotor assembly. The inlet problem 
resulted from a previously unrecognized 
adverse radial temperature gradient (400 
to 600 R) in the gases from the engine 
prebumer. The next two problems were 
attributed to a manufacturing problem. 
Corrective actions were devised for these 
and implemented. 

The synchronous vibration problem has 
been under study for 1-1/2 years. Several 
attempts to correct the problem during that 
period proved unsuccessful. A multi- 
organizational team of experts in rotor 
dynamics was formed to resolve the problem, 
and a systematic approach led to the 
incorporation of several HPOTP design 
detail changes. Since then, the HPOTP has 
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Table 10. Summary of HPOTP Features 


Objective 

Alternate Turbopump 

Current 

Minimize welds through fine gain investment 
castings 

7 

300 

Eliminate uninspectable welds 

None 

250 

Provides subcritical rotordynamic operation 
Stiffen rotor system 

Minimize rotating elements 

integral Tiebolt/Disk 
28 

Shaft coupled to 1st 
disk, bolted to 2nd disk 

50 

Provide significant suction (NPSP) margin 

40% 

Marginal 

Minimize LOX cooled bearings 

1 

4 

Eliminate coatings/closeouts required for 
hydrogen embrittlement protection 

None 

Gold coating/weld 
closeouts 

Reduce shaft RPM 

22400 

28000 


demonstrated, in engine-level tests, over 
5,700 seconds of satisfactory operation at 
104 percent RPL. These were accumulated 
in some 24 tests including 9 mission duration 
runs. The only untoward finding from these 
runs was greater-than-expected wear in a 
bearing. Some changes to the bearing 
support structure should solve this problem. 
Testing at FPL and the accumulation of 
additional development test time in the final 
configuration must occur before certification 
of the HPOTP can begin. Certification 
testing is currently scheduled to begin in the 
Spring of 1993 and to be completed in mid- 
1994. 

HPFTP. The features of the P&W 
HPFTP and the existing 10K HPFTP are 
compared in Table 11. As in the case of 
the HPOTP, the new machine should be 
much more rugged and durable. Engine- 
level testing of the ATP HPFTP began in 
May 1991. The turbopump demonstrated 
ability to operate at 109 percent RPL and 
accumulated 2200 seconds of operation 


during 23 tests at several power levels. 
These development tests revealed several 
design deficiencies. Among them were: 
cracking of the turbine inlet that was 
associated with thermal transients, lift-off 
seal leakage, ball bearing inner race cracks, 
and a high-cycle fatigue crack at the comer 
of a second-stage turbine blade. These 
problems were investigated and corrective 
actions were developed and implemented 
in all cases except the blade crack. The 
efficacy of these fixes was demonstrated 
during a number of runs. The blade crack 
fix could not be demonstrated at that time 
because it involves changing the number of 
second stage stator vanes from 54 to 76, 
which requires a new casting, and has a 
longer lead-time than the other changes. 

In December 1991, the HPFTP program 
was placed on hold for 2 years because of 
budgetary constraints and to concentrate 
development resources on the more critical 
and difficult problems of the HPOTP. Since 
then, an IR&D-funded HPFTP was tested 
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Table 11. Summary of HPFTP Features 


Objective 

Alternate Turbopump 

Current (10K Config.) 

Minimize welds through fine gain investment 
castings 

None 

469 

Eliminate uninspectable welds 

None 

315 

Rotordynamic control 
Stiffen rotor system 

Integral Tiebolt/Disk 

Shaft coupled to 1 st 
disk, bolted to 2nd disk 

Minimize rotating elements 

14 

30 

Provide significant suction (NPSP) margin 

90% 

15% 

Eliminate turbine blade thermal barrier coating 
through single crystal alloy 

None 

NICRALY 


at the MSFC Technology Test Bed (TIB) 
engine facility (a highly instrumented SSME) 
to determine if the modified pump would 
cause any engine system effects over the 
operating envelope of the SSME. During 
the three test runs, the HPFTP was operated 
over the extremes of allowable inlet 
conditions, power levels (up to FPL), and 
mix ture ratios. No adverse engine system 
effects were observed. 

In summary, the ATP designs represent 
a significant improvement in the inherent 
design margins and durability of the current 
turbopumps. These margins have been 
enhanced through the elimination of welds 
and "sheet metal" construction, reduction 
in the number of rotating parts, and elimi- 
nation of protective coatings for thermal and 
hydrogen embrittlement effects. Moreover, 
the design for inspectability and main- 
tainability permits simple and rapid 
turbopump assembly and disassembly. The 
design is such that, with manufacturing 
techniques employed, it is possible to 
produce hardware within drawing re- 
quirements repeatably. The "price" for 
obtaining these improved turbopumps, aside 


from fiscal, is a reduction in Shuttle payload 
capability of 900 pounds due to the increased 
engine weight. 

The completion of the development 
program and the certification testing still 
remains. The 2-year hiatus in the HPFTP 
program can only be detrimental to the 
achievement of the goal of a set of rugged, 
reliable turbopumps for the SSME and may 
also increase costs because of program 
stretch-out and duplicate certification testing. 

LARGE THROAT 
MAIN COMBUSTION CHAMBER 

As noted earlier in this report, the 
chamber pressure required for the SSME 
is several times that of any large rocket 
engine developed previously. In combination 
with the staged-combustion cycle, this drives 
the turbomachinery and other system 
pressures to new heights as well. Anything 
that reduces these pressures while retaining 
thrust and specific impulse levels also serves 
to reduce the internal operating conditions 
and to increase the operating mar gin s of 
engine components, their durability and 
reliability. Certainly, such changes would 


22 














be of great import to the turbomachines as 
well other system components. 

As early as 1981, the SSME Project 
proposed that an increase in the throat 
diameter of the Main Combustion Chamber 
(MCC), along with some other modifications 
to the main combustion system, could 
provide the desired relief for the 
turbomachinery operating environment This 
modification was not approved as part of 
the SSME improvement program, but was 
relegated to a "technology" activity status 
with minimal resources. Only recently has 
the Large Throat MCC (LTMCC) become 
an integral element of the safety and 
reliability improvement program. 

The MCC is a cylindrically symmetrical, 
regeneratively cooled pressure vessel that 
contains the high-temperature (6,000 R) 
burning propellant gases and initiates their 
expansion through the integral chamber 


throat before they enter the nozzle. The 
MCC uses part of the liquid hydrogen 
discharged from the HPFTP as a coolant 
to maintain the MCC internal wall 
temperature within acceptable limits. Forced 
convection cooling is the primary method 
for cooling the wall and is obtained by 
channeling the hydrogen through a large 
number of rectangular cooling slots within 
the chamber wall. Convective cooling is 
supplemented by providing film cooling to 
the interior (or hot) wall by injecting jets 
of hydrogen along the wall through small 
holes in the main injector face plate. 

The LTMCC differs from the current 
MCC in several ways. The throat diameter 
has been increased 11 percent from 10305 
to 10.883 inches, which allows a decrease 
in chamber pressure by 9 percent. The 
contour of the chamber also changes and 
the throat plane is shifted downstream from 
the injector face by 0.7 inch (Figure 6). The 


• Throat area increased by 11% 

- Reduces operating chamber pressure (Pc) by 9% 
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increased throat dimension permits an 
increase in the number of coolant channels 
to 430 from the current 390 and the 
accompanying reduction in hot wall 
thickness. These changes reduce the 
operating temperature of the hot wall by 
approximately 60-to-100 R, increasing its 
life by about 200 percent. This lowered 
temperature serves to reduce the occurrence 
of pin-hole leaks and channel cracks. The 
increased number of coolant channels also 
increases the magnitude of hot-wall-to- 
channel-wall bond area, thus lowering 
operating bond stress by 17 percent, which 
increases the structural margin of these 
bonds by 32 percent over its current level. 


In addition to the functional changes 
described above, investment cast manifolds 
with wrought liners are used instead of the 
welded construction of these components 
in the current MCC. The cast manifolds 
significantly reduce the number of welds 
(from 79 to 26) in the manifolds, and those 
that do remain are fully inspectable. Cost 
of manufa cturing and fabrication time also 
decreases. 

The introduction of the LTMCC has 
impacted other engine components (see 
Table 12). These relatively minor impacts 
require some redesign and recertification 
of the affected component. The Low 


Table 12. SSME Operating Condition Comparison at 104% RPL 


| Parameter 


Current 

Phase-ll 

MCC 

LTMCC 

Delta 

1 Thrust 

Ibf 

488352 

488352 


Chamber Pressure 

psia 

3126 

2843 

-9.0% 

Mixture Ratio 

O/F 

6.011 

6.011 


Suction Oxidizer Flowrate 

Ibs/sec 

926.59 

925.43 


Suction Fuel Flowrate 

Ibs/sec 

154.15 

153.96 


Total Suction Flowrate 

Ibs/sec 

1080.74 

1079.39 


Isp 

sec 

452.9 

453.4 


HPOTP Main Pump Discharge Pressure 

psia 

4341 

4084 

-5.9% 

Boost Pump Discharge Pressure 

psia 

7306 

7190 

-1.6% 

Shaft Speed 

rpm 

27938 

27658 

-1.0% 

Turbine Discharge Temperature 

R 

1335 

1201 

-10.1% 

HPFTP Pump Discharge Pressure 

psia 

6348 

6037 

-4.9% 

Shaft Speed 

rpm 

34936 

34328 

-1.7% 

Turbine Discharge Temperature 

R 

1694 

1550 

-8.5% 

Oxidizer Preburner Pressure 

psia 

5187 

4803 

-7.4% 

Fuel Prebumer Pressure 

psia 

5200 

4784 

-8.0% 

LPOTP Discharge Pressure 

psia 

422 

401 

-5.0% 

Shaft Speed 

rpm 

5107 

5005 

-2.0% 

LPFTP Discharge Pressure 

psia 

mm 

293 

-0.7% 

Shaft Speed 

rpm 

WtBM 

15740 

-0.4% 
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Pressure Oxidizer Turbopump (LPOTP) 
inducer has to be redesigned to change the 
blade incidence angle. This redesign has 
been initiated and a development unit has 
been water-flow- tested and hot-fired on the 
TTB engine. While the ATP HPOTP was 
designed to be compatible with both the 
LTMCC and the current MCC, the current 
HPOTP would require a redesign of the 
main inducer to reduce cavitation and a 
change to the prebumer stage diffuser to 
eliminate vane stall characteristics that occur 
at the lower power levels. 

Use of the LTMCC lowers the 
combustion chamber pressure by 9 percent 
at 104 percent RPL. Thrust is maintained 
by the change in the operating points of the 
turbopumps. A comparison of the operating 
conditions and margins of the engine with 
the LTMCC with those with the current 
MCC is given in Table 12. In general, with 


the LTMCC, operation of the engine at 104 
percent RPL is less stressful than operating 
the current engine at 100 percent RPL. 
Similarly, operating the engine with the 
LTMCC at 109 percent RPL is equivalent 
to the current engine operating at 104 
percent RPL (Figure 7). 

While the LTMCC increases the 
operating margins as noted above, the 
reduction in chamber pressure and area ratio 
would result in a reduction of 2.2 seconds 
in specific impulse and consequent loss in 
vehicle payload capability. To reduce this 
loss, it is planned to eliminate the acoustic 
cavities and their associated coolant flow, 
reduce chamber film coolant flow, and use 
the chamber in combination with the Two- 
Duct Powerhead, which deletes the main 
injector baffles (cf.. Table 13). Experience 
with such changes to the combustion system 
in hydrogen /oxygen systems and test results 
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Table 13. 

Two-Duct Powerhead Improvements 


• Increased hot gas flow area 

• Improved contour for hot gas flow 

• Eliminated center transfer duct 

• Improved main injector flow shield 

design 

• Shortened prebumer injector elements 

• Improved structural integrity of coolant 
ducts and liquid oxygen inlet manifold 

• Eliminated 76 welds 

• Removed main injector baffles 


of the LTMCC technology program indicate 
that removing combustion stabilizing devices 
from the system is acceptable. 

The removal of the MCC injector 
baffles produces an improvement in MCC 
cooling. The baffles were originally included 
to prevent combustion instability from 
propagating. Although testing to date has 
shown adequate stability, thorough stability 
testing during completion of the development 
and certification programs is prudent. 

To date, there are four LTMCCs in 
various stages of manufacture and assembly. 
LTMCC unit 6001 was installed on Engine 
0208, test run for 26 starts, and accumulated 
3,716 seconds of operating time. It was also 
installed on Engine 0217 and tested for 830 
seconds in two runs. On Engine 0208, 
injector baffles and acoustic cavities were 
removed and subjected to eight "bomb" test 
sets to determine the sensitivity of this 
configuration to combustion disturbances. 
All of these tests demonstrated rapid 
recovery from the disturbance created by 
the bomb, recovering within 6 milliseconds, 
which is essentially the same as that of the 
original configuration. The criterion for 


acceptable recovery is 28 milliseconds. 
Other aspects of performance were reported 
to have met or exceeded expectations. The 
condition of the chamber after 28 tests was 
excellent with no indication of cracking or 
pin-hole leaks. 

Improvement of operating margins 
associated with the LTMCC may lead to the 
availability of the more desirable abort mode 
options. The operating margin of the SSME 
at FPL with the LTMCC is comparable with 
that of the current engine at 104 percent 
RPL. In the event of an engine shutdown, 
advancing the throttle to FPL makes possible 
a greater time span for the abort-to-orbit 
mode and a reduction of the time when 
RTLS mode is required by about 20 to 30 
seconds. More detailed study is required. 

TWO-DUCT POWERHEAD 

The current SSME powerhead (referred 
to as the Phase II powerhead), shown in 
Figure 8, is an assembly of eight major parts. 
One part, the HGM, serves as the structural 
base for mounting the MCC and its injector, 
the two preburner injectors, the HEX, and 
the two high-pressure turbopumps. The 
current HGM has three ducts connecting 
the high-pressure fuel turbine discharge 
annulus and the MCC injector dome. These 
ducts yield non-uniform velocity and pressure 
profiles of the hot gas flow entering the 
MCC injector dome. This causes severe 
dynamic loading on the MCC injector liquid 
oxygen (LOX) posts. The flow distortion 
also causes a rather large pressure drop 
through the ducts, resulting in a loss in 
performance. Also, the significant lateral 
pressure differential created across the 
HPFTP adds to its structural loads, especially 
on the "sheet metal" parts. The HGM has 
very thick walls, about 2-1/2 inches, and 
many welds are used to make the assembly. 
Many of the items in the CIL that are 
associated with the powerhead are of 
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PHASE II POWERHEAD 



HPFTP MCC HPOTP 

PHASE II ENGINE 


Figure 8. Phase II Powerhead 


concern because they are exacerbated by 
the poor flow conditions it creates. 

During the early 1980’s, a program was 
initiated to modify the powerhead to mitigate 
or eliminate these problems. This program 
introduced a new component referred to as 
the Phase 11+ powerhead (two-duct 
powerhead). The most significant features 
of the redesign are indicated in Figure 9, 
with the three circular cross-section ducts 
replaced by two elliptical cross-section ducts. 
This and other modifications significantly 
improved flow uniformity, decreased 
turbulence levels and pressure drops, and 
improved the ruggedness and hence the 
reliability of the assembly. A summary 
of the changes is given in Table 13, 
indicating the components affected. For 
example, the flow area of the MCC injector 
flow shields have been increased by 34 
percent and the dynamic loads on the LOX 


posts are reduced by 16 percent. The 
HPFTP transverse pressure gradient is 
reduced by 60 percent, reducing this part 
of its structural load significantly. Changes 
to the liquid oxygen inlet elbow and tee have 
increased both their high- and low-cycle 
fatigue design life by an order of magnitude. 
The number of welds in the assembly has 
been reduced by 24 percent. 

Testing to date indicates a need to fine- 
tune the film cooling flows for the MCC 
walls to eliminate blanching and erosion. 
This is in process. Formal certification of 
the powerhead will coincide with that of the 
single-tube HEX and is scheduled to start 
in late 1992 and end in 1994. 

PERFORMANCE IMPACTS 

The forementioned improvements will 
impact Shuttle system performance. In the 
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Figure 9. Powerhead (Comparison) 


case of engine Isp, as shown in Table 14, 
certain losses and gains are attributable to 
the various changes. Regarding the 
reduction of leakage in the new MCC, the 
optimistic estimate is that there will be a 
net gain of 0.95 seconds. Conservatively, 
the estimated net effect on Isp would be a 
gain of about 0.35 seconds or a net gain in 
payload capability of about 350 pounds. 

Estimated effects of the proposed 
structural changes involved are indicated 
in Table 15. If all improvements are 
incorporated, the weight of an engine will 
increase 685 pounds or 2050 pounds per ship 
set The overall effect of the changes (using 
the conservative effect of Isp) is an 
approximate 1700-pound decrease in payload 
capability. This is the "price*' of increasing 
the safety and reliability of the SSME and 
is well worth it. 


PRIORITIES 

There is no simple, mathematically 
rigorous way to establish priorities among 
the major changes to the SSME described 
in the preceding paragraphs. Any attempt 
to assign priorities based on a mathematical 
scoring system would be highly subjective. 
The Team’s consensus was that priorities 
should be based on the evaluation of each 
item’s impact on engine safety and reliability. 
This led to the following priority groupings: 

Priority I: Single-tube HEX 

ATP HPOTP 
LTMCC 

Priority II: ATP HPFTP 

Two-Duct Powerhead 

Within each grouping, the items are 
presented in priority order. No other major 
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Table 14 . SSME Large Throat MCC Engine Performance 


Specific Impulse Change Due to Large Throat 

MCC Incorporation 

Large Throat MCC 

Area/Chamber Pressure 
Acoustic Cavity Row Elimination 
Boundary Layer Coolant Hole Row Reduction 
MCC Total: 

Delta (Sec) 

-2.2 

+0.5 

±ifl 

-0.7 Seconds 

Phase II + Powerhead 

Baffleless Main Injector 

±10 

Total Specific Impulse Change 

+0.3 Seconds (95% Confidence) 

Expected Additional Gain Due to MCC Leakage 

+0.05 to +0.65 


Table 15 . Effects of Improvement on SSME Weight 


MCC 

Standard (today) MCC Weight 

Rocketdyne Proposed Production Large Throat 

470 Ibm 
620 Ibm 

+ 150 Ibm over today 

Turbomachinery 

HPOTP 

Rocketdyne (today) 

ATD (expected flight weight) 

575 Ibm 
741 Ibm 

+ 166 Ibm over today 

HPFTP 

Rocketdyne (today) 

ATD (expected flight weight) 

770 Ibm 
989 Ibm 

+219 Ibm over today 

Powerhead 

Phase-ll (today, 3-duct) 

Phase-ll+ (2-duct, baffleless, Single-Tube HEX) 

1267 Ibm 
1417 Ibm 

+ 150 Ibm over today 

Total Delta (per engine): +685 Ibm 


modifications are under development or 
consideration at this time. 

CERTIFICATION 

Figure 10 shows the current schedule 
for development and certification of the 
proposed improvements. It is apparent from 
the figure that the sequence of availability 


of the improvements is not in concert with 
the priorities just presented. Also, because 
of the hardware-related factors, there will 
be multiple certifications of some 
improvements. For example, the ATP 
HPOTP will first be certified with the 
current MCC and will have to be re-certified 
with the LTMCC. Also, the resulting 
configuration will only fly for a very few 
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Figure 10. Current Implementation Schedule for SSME Improvements 


years before it is replaced. Engine-level 
testing is a very expensive activity, 
approximately $1500/second, with at least 
40,000 seconds required for certification. 
Therefore, it would be advisable to examine 
modifying current plans to determine if a 
more logical and effective program can be 
devised. Such an examination should 
consider the possibility of reorganizing the 
program so as to create a "block change"; 
that is, one incorporating all the changes 
at once to create a new model of the SSME. 
This would require a very detailed 
assessment of all the factors involved in such 
a programmatic alteration. Among the 
factors to be considered is the number of 
engine test stands needed in this process — it 
being possible that, with a different program 
plan, all three facilities might not be needed 
and the concurrent expenditure could be 
avoided. Intuitively, such a block change 
approach should be less expensive in the 


long run and reduce duplicative testing and 
certify the block in the ultimate flight 
configuration only. This may delay some 
certifications and require expediting others. 

OTHER OPERATIONAL CONCERNS 

During the course of the Team’s review, 
other engine operational concerns surfaced 
that demand attention before they become 
major safety risk factors; these are discussed 
below. 

"Pops". Occasionally, the oxidizer pre- 
burner experiences sudden, short-lived rapid 
combustion phenomena, possibly detonations, 
evidenced by sudden spikes in engine- 
mounted accelerometer readings. These 
have been called "pops," some of which have 
resulted in accelerometer readings as high 
as 10,000 g. Until recently, such large pops 
have occurred only after engine cutoff had 
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been initiated, generally about 2.3 seconds 
into the process. Recently, pops of 11,000 
to 12,000 g have been experienced during 
engine start-up in contrast to the 1,000 g 
previously experienced. 

Based on post-event inspections, a 
criterion has been developed that states that 
pops yielding 6,000 g or less requires no 
special action; those above that magnitude 
require a "flat face" inspection of the injector 
plate to ensure that no physical deformation 
has occurred and that none of the brazed 
joints have been damaged. To test the 
validity of this criterion, a prebumer injector 
that had been deformed by 0.085 inch is 
being kept in the test program. 

There are several concerns about pops: 
their unpredictability, lack of understanding 
of the phenomenon, and lack of knowledge 
as to what is the upper bound of the 
disturbance. Attempts are being made to 
investigate making small changes in the 
injector manifolds to minimize the 
accumulation of propellant behind the 
faceplate, a suspect mechanism. Also, 
modifications to valve timing during 
shutdown are being investigated in an effort 
to minimiz e the fuel backflow resulting from 
an imbalance between chamber pressure 
and supply pressure during the transient. 
Finally, although bomb testing and operating 
experience indicate that the engine is 
inherently stable, the magnitude of the 
disturbance during pops might be sufficient 
to trigger combustion instability, especially 
if the stabilizing devices like acoustic cavities 
and main injector baffles are removed. 
Obviously, a continuing analytical and 
experimental effort to understand and 
e limina te or control the phenomenon is 
indicated. 

Instrumentation. A source of 
continuing concern has been the failure of 


flight sensors used for redlines. Although 
the systems employ redundant sensors and 
logic to exclude readings from failed units, 
the failure experience is not salutary. Should 
a number of sensors in one redline 
instrument system fail, an unnecessary engine 
shutdown and abort could occur. This is 
especially true of the temperature 
instruments used to measure turbine 
discharge temperatures of the high-pressure 
turbopumps. Of necessity, the sensing 
element of the thermistors is a very fine wire 
that is easily broken. Over the years, a 
series of design modifications of the sensor 
assembly has had moderate success in 
increasing ruggedness, but failures continue 
to occur. Also, extreme care in manufacture 
is required to produce a usable device. Not 
only must development of the current type 
sensor continue but an alternate, more 
rugged technique should be sought for 
sensing temperatures. 

Valve Actuators. The hydraulic 
actuators that operate the propellant control 
valves are critical parts of the engine system. 
The hydraulic segment of the actuators is 
fully redundant and is backed up with a 
pneumatic system that is designed to allow 
a safe shutdown in the event of a multiple 
failure in the hydraulic system. Prior to the 
Challenger accident, two on-pad aborts were 
associated with loss of redundancy in the 
actuator system. The Launch Commit 
Criteria require that all redundant systems 
be operating for a launch. Design changes 
were incorporated in both the actuator and 
the hydraulic fluid systems to improve 
reliability. Since then, an actuator hangup 
has occurred during a component checkout 
The cause of the malfunction was 
determined to be galling between the spool 
and sleeve that transfers the valve from 
hydraulic to pneumatic control in the event 
of multiple failure in the hydraulic part of 
the actuator. Fixes for this problem are 
being actively sought. 
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Sustaining Engineering. Similar 
problems will continue to arise as operating 
experience accumulates. This is true of all 
propulsion systems, including aircraft gas 
turbine engines and automotive engines. 


Each program must, therefore, maintain an 
active and competent sustaining engineering 
team to investigate all anomalies as they 
occur and develop any necessary corrective 
action. 
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V. CONCLUSIONS 


Based on its review of the history, status 

and plans of the Space Shuttle Main Engine 

(SSME) program, the SSME Assessment 

Team concludes the following: 

1. It is safe to continue to fly with the 
current engines provided that the 
current precautions and procedures 
such as special inspections, life limits, 
and configuration control continue to 
be implemented in an expert, 
disciplined, and vigilant manner. 

2. The safety and reliability of the SSME 
can be improved substantially by 
incorporating changes that increase the 
inherent ruggedness and operating 
margins of components, thus reducing 
reliance on people and processes. 

3. All of the major safety and reliability 
improvements currently in development 
should be implemented as they respond 
to known major concerns. They are 
listed in priority order based on 
estimated impact on engine safety and 
reliability: 

Priority I: Single-Tube Heat Exchanger 

Alternate High-Pressure Oxidizer 
Turbopump 

Large-Throat Main Combustion 
Chamber. 

Priority II: Alternate High-Pressure Fuel 
Turbopump 

Two-Duct Powerhead. 


4. Implementation of these changes should 
permit a less restrictive use of thrust 
in the event of an abort, thus permitting 
an improvement in the choice of abort 
mode options. 

5. These changes should be certified as 
soon as possible. The certification and 
implementation should be performed 
as a block change rather than a serial 
change as specified in the current plan. 
This should eliminate duplicate 
certifications and ensure that the 
changes take effect in the configuration 
that will fly. 

6. Although the Team did not possess the 
degree of expertise required to perform 
an in-depth of analysis for a valid cost 
comparison between the two 
approaches, it concluded, on the basis 
of the experience of its members, that 
the block change approach would be 
more economical than serial changes. 

7. Anomalies and new phenomena (e.g., 
"pops" and sensor malfunctions) are 
expected to continue to occur or be 
discovered as operating and test 
experience is gained. All such 
occurrences must continue to be 
investigated thoroughly and require a 
competent sustaining engineering 
activity. 

8. Although not specifically addressed in 
the body of this report, the program 
aimed at developing improved 
fabrication and inspection techniques 
for the SSME should be continued and 
encouraged. 
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VI. RECOMMENDATIONS 


Based on its conclusions, the Team 
recommends: 

1. Certification and implementation of 
all of the major safety and reliability 
improvements given in Conclusion 
Number 3. 

2. Implementation of proposed changes 
as a block change. Conduct an in- 
depth evaluation of cost, schedule, and 
technical impacts of the block change 


approach versus the current serial plan; 
include in the study long-term effects 
on costs such as recurring costs. 

3. Continuation of the practice of 
thorough investigation of all anomalies 
that occur in flight and tests such as 
"pops"; the development and 
implementation of corrective actions; 
and maintenance of an effective 
sustaining engineering activity. 


PRECEDING PAGE BLANK NOV FILfci€o 
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APPENDIX A 


NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 
MULTIYEAR AUTHORIZATION ACT OF 1992 


Ann. 22, 1992. — Committed to the Commltt— of the Whole House on the State of 
the Union and ordered to be printed 


Mr. Brown, from the Committee on Science, Space, and 
Technology, submitted the following 

REPORT 


[To accompany HA 4364] 

{Including coat estimate of the Congressional Budget Office] 

The Committee on Science, Space, and Technology, to whom was 
referred the bill (H.R. 4864) to authorize appropriations to the Na- 
tional Aeronautics and Space Administration for research and de- 
velopment, space flight, control and data communications, con- 
struction of facilities, research and program management, and In- 
spector General, and for other purpoeee, having considered the 
same, report favorably thereon with an amendment and recom- 
mend that the bill, es amended, do pass. 


M-568 


A-l 
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a ting margins within the SSME which is generally recognized as 
the riskiest element of the Space Shuttle. 

The Wide Diameter Throat and the Alternative Fuel Turbopump 
should be pursued as rapidly as possible. Accordingly* the Commit* 
tee encourages NASA in the strongest possible terms to undertake 
these initiatives as quickly as possible. 

Safety Assessment of the Space Shuttle Main Engine 

The Committee requests that the Aerospace Safety Advisory 
Panel (ASAP) create a temporary task force of propulsion experts 
to conduct a thorough assessment of the Speue Shuttle Main 
Engine (SSME). The Committee believes that this temporary task 
force should include propulsion experts drawn from academia and 
elsewhere to augment the propulsion experts who are already af- 
filiated with the ASAP. 

The Committee requests that the temporary task force: 1) assess 
the risks that the SSME poses to the safe operation of the Space 
Shuttle; 2) identify and evaluate safety improvements that could 
eliminate or reduce these risks; and 8) recommend a set of prior- 
ities that the task force believes should be followed on implement- 
ing specific improvements. 

Basically, the Committee wishes to receive an unbiased assess- 
ment that could answer questions such as the following: How safe 
is the SSME? Is it Bafe enough? If not, what improvements need to 
be made? How quickly should these improvements be brought into 
the operational inventory? What will be the cost of making these 
improvements? What are the likely risks and consequences if these 
improvements are not made? etc. 

The Committee would like to receive a final report from the tem- 
porary task force no later than February 1, 1998. 

The Committee directs that the NASA Administrator provide the 
temporary task force with whatever: (1) data; (2) access to facilities, 
records, analyses, and personnel; and (3) financial and administra- 
tive support that may be required for the temporary task force to 
comply with this Congressional request. 

Section 10S(bX2X — Space Shuttle Operations 


President's request for fiscal year 1968 and estimates for subse- 
quent yean: 


Fiscal 

1 


1 yean 
993. 


1994. 

1995 

Committee recommendation: 
Fiscal year. 

1993 

1994 

1995 
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$3,115^00,000 

8,116,200,000 

8,115,200,000 


3.106.200.000 

8.142.500.000 

8.180.200.000 


Committee authorization recommendation 

This section authorizes $8,105,200,000 in fiscal year 1993, 
$3,142,500,000 in fiscal year 1994, and $3,180,200,000 in fiscal year 
1995 for Space Shuttle Operations. The authorization for fiscal year 
1993 represents a decrease of $10,000,000 below the President's re- 
quest. This decrease represents a general reduction in Research 


A-2 



APPENDIX B 


Chairman 

Co-Chairman 

Members 


Executive 

Secretary 

Staff 

Assistant 


SPACE SHUTTLE MAIN ENGINE 
ASSESSMENT TASK FORCE 

(SSME ASSESSMENT TEAM) 


Dr. Walter C. Williams 
Aerospace Consultant 
Tarzana, CA 

Dr. Seymour C. Himmel 
Aerospace Consultant 
Lakewood, OH 

Mr. Thomas B. Mobley 
Director, Advanced Technology 
Martin Marietta Manned Space Systems 
New Orleans, LA 

Dr. Bruce A. Reese 
Aerospace Consultant 
Huntsville, AL 

Mr. Eusebio Suarez-Alfonso 
Aerospace Corporation 
Los Angeles, CA 

Dr. Richard Weiss 
Director, Propulsion Directorate 
Phillips Laboratory 
Edwards AFB, CA 

Mr. Chris Singer 
NASA Headquarters 
Washington, DC 

Ms. Patricia M. Harman 
NASA Headquarters 
Washington, DC 20546 


B-l 




